|
devmd01 posted:There's only one way to find out Trip report: it was safe to do during business hours  %99.99 snipe level agreement
|
#
?
Jul 13, 2017 00:17
|
|
|
|
| # ? Apr 24, 2024 07:05 |
|
|
I just trimmed 7 domain controllers down to 4, switched from FRS to DFSR for sysvol, and I'll be replacing the remaining 4 with server 2016 DCs. One of the other engineers is amazed at how fast objects replicate now and I'm like "no poo poo, you had way more DCs than needed." Can't bump to 2016 functional level until our archive exchange 2010 server goes away next year, ugh. Question about delegated rights: a predecessor granted domain users read delegation to the primary OU where users were located. I'm trying to think of why this could be a bad idea and I'm coming up short. I discovered it after we migrated users to a new OU and it broke some applications, because the service accounts needed read delegation to work. I'd rather go least privileged and put the appropriate service accounts in a security group that has read delegation to the new OU, instead of granting to domain users. Any thoughts?
|
|
#
?
Jul 18, 2017 12:39
|
|
|
Good timing on 2016. We upgraded to 2016 DC's and all our Windows 7 workstations would have the explorer.exe crash randomly. Hundreds of machines. They finally patched that last month.
|
|
#
?
Jul 18, 2017 13:10
|
|
|
That's....disturbing. What was the fix, the monthly cumulative for win7? I'll want to validate deployment of it with desktop before I go any further.
|
|
#
?
Jul 18, 2017 13:16
|
|
|
devmd01 posted:Question about delegated rights: a predecessor granted domain users read delegation to the primary OU where users were located. I'm trying to think of why this could be a bad idea and I'm coming up short. I discovered it after we migrated users to a new OU and it broke some applications, because the service accounts needed read delegation to work. I'd rather go least privileged and put the appropriate service accounts in a security group that has read delegation to the new OU, instead of granting to domain users. Any thoughts? There's not a lot of downside to read rights across the board, with the exception that now anyone can spin up a job that could peg your DCs.
|
|
#
?
Jul 18, 2017 13:58
|
|
|
devmd01 posted:That's....disturbing. What was the fix, the monthly cumulative for win7? I'll want to validate deployment of it with desktop before I go any further. It was a nightmare. IE would crash upon load, and opening explorer.exe would give you permissions errors, then that too would crash It wouldn't happen all the time, just randomly and then go away randomly. You couldn't force it to happen. We had an incident with Microsoft open since April and it was finally fixed at the beginning of July. The workaround was to use Chrome or Firefox and open your explorer window via My Computer. Yeah the cumulative update seemed to fix it. At least no users have reported the issue since we pushed that out. And they know to tell me if it happens again. The only good thing is that it pushed our Windows 10 deployment, so all our laptop users got migrated to Windows 10 off Windows 7.
|
|
#
?
Jul 18, 2017 14:23
|
|
|
Beware that there are DNS bugs in 2016. Some are related to DNS Policies, but there's a bug regarding delegated and stub zones and CNAME resolution; a bug which does not exist in earlier versions. Microsoft is aware of the problem, but I have no idea when a fix might be available.
|
|
#
?
Jul 18, 2017 18:59
|
|
|
devmd01 posted:switched from FRS to DFSR for sysvol How smooth was the process? Leadership has cold feet on doing it, but from what I've seen it's pretty painless despite taking a couple of weeks to complete. Mind elaborating on your experience a little?
|
|
#
?
Jul 18, 2017 20:58
|
|
|
I've done it for three domains at two jobs so far during the middle of the day with no impact. The doc is pretty comprehensive on the migration steps, it really is as easy as going down each command. Just make sure that you have every domain controller open and understand how your replication links are set up, so you can speed things up with a repadmin /syncall /AeV instead of having to wait for replication to occur each step. E: takes about an hour or two in a domain with 4-6 DCs and multiple sites. devmd01 fucked around with this message at 21:43 on Jul 18, 2017 |
|
#
?
Jul 18, 2017 21:39
|
|
|
Briantist posted:Beware that there are DNS bugs in 2016. Some are related to DNS Policies, but there's a bug regarding delegated and stub zones and CNAME resolution; a bug which does not exist in earlier versions. Microsoft is aware of the problem, but I have no idea when a fix might be available. Do you have any links for those bugs? I am seeing some DNS fuckery in 2016 and I wonder if its correlated. Also, this is why you don't let your security guys jump onto 2016 for a prod environment 3 months after it ships. 
|
|
#
?
Jul 18, 2017 22:30
|
|
|
We just put ours in Aprilish and we thought that would be enough time 
|
|
#
?
Jul 18, 2017 22:35
|
|
|
AreWeDrunkYet posted:There's not a lot of downside to read rights across the board, with the exception that now anyone can spin up a job that could peg your DCs. "Authenticated User" already has read rights on all of AD by default, with the exception of very few attributes. If you are using Bitlocker with the recovery key stored in AD I'd check whether a nonprivileged account can read that particular attribute (msFVE-RecoveryInformation), otherwise this is nothing special. Edit: After upgrading to Server 2016 DCs, we had some weird explorer.exe crashes for a few users that were resolved by deleting the SID history from an 8 year old domain migration. peak debt fucked around with this message at 16:17 on Jul 19, 2017 |
|
#
?
Jul 19, 2017 16:14
|
|
|
Bitlocker keys are an attribute of the computer object and it sounds like the delegated permissions to a user object OU so that shouldn't be a problem. If you are doing something in your GAL to hid phone #s of execs or something you might have an issue where you can bypass that with an LDAP query
|
|
#
?
Jul 19, 2017 19:21
|
|
|
 This still doesn't actually... work, right? Employees are complaining that it's impossible to collaborate on Sharepoint word/excel docs together in a team of five (locked due to editing when no one is editing, saving in the wrong places etc) and I'm chalking it up Microsoft not having improved anything since the last time I tried to sort this poo poo out 6 years ago. Any affordable enterprise alternatives or do I have to just hold my nose?
|
|
#
?
Jul 19, 2017 21:08
|
|
|
Only SharePoint will let you co-author Office documents.
|
|
#
?
Jul 19, 2017 21:14
|
|
|
Thanks Ants posted:Only SharePoint will let you co-author Office documents. Isn't OneDrive for Business just sharepoint? quote:With Office 2016 and OneDrive for Business, you can co-edit and share documents right from your Office apps like Word, Excel, PowerPoint and Visio. If you sync your files to your computer, OneDrive and Office work together to sync documents and let you work with other people on shared documents at the same time. But apparently not
|
|
#
?
Jul 19, 2017 21:56
|
|
|
I use OneDrive business for work collab and the sync stuff is definitely Sharepoint on the backend.
|
|
#
?
Jul 19, 2017 22:00
|
|
|
It is SharePoint, yeah. Sorry for making that not too clear.
|
|
#
?
Jul 19, 2017 22:01
|
|
|
Zero VGS posted:
Simultaneous editing of Excel files has been working quite well for me. But word, no, merging text files is still a task people struggle with no matter how nice tools you give them. The concept of merging two edits into a third version is just too much for non-programmers to wrap their heads around.
|
|
#
?
Jul 19, 2017 22:33
|
|
|
Zero VGS posted:
Force everyone to use git.
|
|
#
?
Jul 19, 2017 22:35
|
|
|
Google Docs seems fine 
|
|
#
?
Jul 19, 2017 22:38
|
|
|
There's this new product called Google Wave that will allow you to seamlessly co-edit documents. The demo video looks really cool I can't wait for the release.
|
|
#
?
Jul 20, 2017 15:55
|
|
|
peak debt posted:There's this new product called Google Wave that will allow you to seamlessly co-edit documents. The demo video looks really cool I can't wait for the release. I'm really hoping this is super-thick sarcasm https://en.wikipedia.org/wiki/Apache_Wave - released in 2009.
|
|
#
?
Jul 20, 2017 20:07
|
|
|
Thanks Ants posted:Google Docs seems fine haha
|
|
#
?
Jul 20, 2017 21:21
|
|
|
mayodreams posted:Do you have any links for those bugs? I am seeing some DNS fuckery in 2016 and I wonder if its correlated. Delegated/Stub Zone Issue (and another), and for an in-depth diagnosis. DNS Policies Issue
|
|
#
?
Jul 21, 2017 17:15
|
|
|
We have a weird server setup, where we have an IIS frontend, which talks to a couple of servers with standalone SQL Server Reporting Services, which then talk to a SQL database backend. Our test/QA and dev environments use an IIS frontend that talks to a SQL database server with SSRS built in. The DBA/webdevs "recently" discovered an issue in production where some reports will throwing 401 errors after the query has run for ~60 seconds. This doesn't happen in test/QA. I say "recently" because we did install a secondary IIS frontend and put haproxy in front to load-balance them, but internally we haven't made the DNS changeover to redirect to the VIP, but this 401 timeout issue is getting blamed on the load balancer. Getting the web/DBA team to accurately describe anything is like pulling loving teeth. A few weeks ago the morning after we deployed the loadbalancer to the public, we got an urgent all-hands call that all reports were erroring out, and then going through discovery it was changed to an intermittent issue affecting all reports, and eventually it was determined to be just one singular report that was erroring, because they had configured it wrong. Anyway. What it looks like the issue might be is that we should be using Kerberos authentication to make the "double-hop" from frontend to reporting server to SQL database. Has anyone else had any experience with this setup? The whole thing seems to be documented pretty thoroughly, so I'm not too concerned, but I'd like to know if anyone has run into a similar issue or can tell me about any traps I might run into. This weekend I'll be telling the reporting services on one of the test/QA boxes to talk to the other test/QA box's database and then rolling out these Kerberos changes.
|
|
#
?
Jul 21, 2017 21:07
|
|
|
anthonypants posted:We have a weird server setup, where we have an IIS frontend, which talks to a couple of servers with standalone SQL Server Reporting Services, which then talk to a SQL database backend. Our test/QA and dev environments use an IIS frontend that talks to a SQL database server with SSRS built in. The DBA/webdevs "recently" discovered an issue in production where some reports will throwing 401 errors after the query has run for ~60 seconds. This doesn't happen in test/QA. I say "recently" because we did install a secondary IIS frontend and put haproxy in front to load-balance them, but internally we haven't made the DNS changeover to redirect to the VIP, but this 401 timeout issue is getting blamed on the load balancer. Getting the web/DBA team to accurately describe anything is like pulling loving teeth. A few weeks ago the morning after we deployed the loadbalancer to the public, we got an urgent all-hands call that all reports were erroring out, and then going through discovery it was changed to an intermittent issue affecting all reports, and eventually it was determined to be just one singular report that was erroring, because they had configured it wrong. I don't have experience with this use case directly, but the term double-hop generally describes the problem, not the solution. The solutions are usually kerberos delegation, or an alternative authentication scheme (CredSSP), but they both have their caveats and (critically) security concerns. I can't really fathom how a double-hop issue would only affect a single report though. It either is a problem or it isn't. It's not something that shows itself intermittently, unless the second hop is triggered intermittently.
|
|
#
?
Jul 21, 2017 23:04
|
|
|
Briantist posted:I don't have experience with this use case directly, but the term double-hop generally describes the problem, not the solution. The solutions are usually kerberos delegation, or an alternative authentication scheme (CredSSP), but they both have their caveats and (critically) security concerns.
|
|
#
?
Jul 22, 2017 00:06
|
|
|
Re: building Windows setup ISOs with patches already applied. Took a lot of random patchwork assembling of stuff from different articles but so far this seems to be working out fine: 1. Get suitable .msu format patches from the Microsoft Update Catalog. 1. Extract files from setup ISO. 1. Mount WIM. 1. Add-Package all the .msu files using dism.exe 1. Save changes to WIM 1. Make a new Windows install iso using oscdimg.exe from the Windows ADK. I have got it fully automated and all I need to do to make new ISOs is to check in an updated list of URLs for the patches to install. This cuts a lot of time off the custom image building, so I am happy. Thanks for all the suggestions!
|
|
#
?
Jul 24, 2017 13:55
|
|
|
Has anyone rolled out windows management framework 5.1? Did you run into any compatibility issues beyond what is noted in the known incompatibilities, i.e. Exchange 2010?
|
|
#
?
Jul 25, 2017 13:18
|
|
|
devmd01 posted:Has anyone rolled out windows management framework 5.1? Did you run into any compatibility issues beyond what is noted in the known incompatibilities, i.e. Exchange 2010?
|
|
#
?
Jul 25, 2017 18:42
|
|
|
Is there any way to get the Linux sub system running on windows 10 ltsb or am I going back to cygwin?
|
|
#
?
Jul 25, 2017 18:50
|
|
|
Coredump posted:Is there any way to get the Linux sub system running on windows 10 ltsb or am I going back to cygwin?
|
|
#
?
Jul 25, 2017 18:57
|
|
|
anthonypants posted:LTSB doesn't even have Microsoft Edge. Is Microsoft Edge a required component for Linux?
|
|
#
?
Jul 25, 2017 19:12
|
|
|
Coredump posted:Is Microsoft Edge a required component for Linux?
|
|
#
?
Jul 25, 2017 19:20
|
|
|
Looks like it's available in my LTSB 2016 VM
|
|
#
?
Jul 25, 2017 21:37
|
|
Briantist posted:Delegated/Stub Zone Issue (and another), and for an in-depth diagnosis. What in the name of Christ Microsoft
|
|
|
#
?
Jul 26, 2017 04:03
|
|
|
buffbus posted:Looks like it's available in my LTSB 2016 VM I got that checked on my machine too, and then entered the command "bash" into an admin command prompt and this is what I got: code:
|
|
#
?
Jul 26, 2017 13:53
|
|
|
Yeah the workaround is pretty easy: install non-LTSB Windows.
|
|
#
?
Jul 26, 2017 15:50
|
|
|
|
| # ? Apr 24, 2024 07:05 |
|
|
The current LTSB is just extremely limited, it's pretty much the pre-release beta. I wouldn't go as far as Microsoft and say it's only good for POS and ATM devices. But you definitely cannot expect modern newfangled concepts like Linux on Windows.
|
|
#
?
Jul 31, 2017 11:54
|
|